×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

aironet SAP2602 working only with some clients

Unanswered Question
Feb 4th, 2014
User Badges:

Hi,


I've an aironet sap2602 that behaves strangely: dhcp negotiation is allowed only for some clients and not for others.


In detail, AP is connected to a captive portal system, so everybody is allowed to connect by itself, but you have to pass captive portal in order to go on internet.


Captive portal is also dhcp server.


On captive portal I see dhcp transaction only for some clients (the one that work fine), for other clients I don't see any negotiation, either successful or not.


I have done a packet sniffing with wireshark, so I can tell it's not a Captive Portal problem, but something between AP and client, since I don't see traffic from the mac address of the faulty client.


My question is: how can I debug this situation on the AP?????


Thanks a lot

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Loading.
Scott Fella Tue, 02/04/2014 - 08:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Post your show run-config and tell us what specific devices if any are having issues.

Sent from Cisco Technical Support iPhone App

sandman42 Tue, 02/04/2014 - 08:29
User Badges:

Here it is:


MyAP#sh run
Building configuration...


Current configuration : 4325 bytes
!
! Last configuration change at 06:50:57 +0100 Mon Mar 1 1993 by myuser
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MyAP
!
logging rate-limit console 9
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
no ip routing
ip domain name mydomain.it
!
!
dot11 syslog
dot11 vlan-name WIRELESS vlan 1
!
dot11 ssid MYSSID
   vlan 1
   authentication open
   guest-mode
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-REMOVED
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-REMOVED
revocation-check none
rsakeypair TP-self-signed-REMOVED
!
!
crypto pki certificate
[REMOVED]
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid MYSSID
!
antenna gain 0
stbc
speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
ssid MYSSID
!
antenna gain 0
no dfs band block
stbc
speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
channel dfs
station-role root
no dot11 extension aironet
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1
no ip route-cache
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address 192.168.125.253 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.125.1
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
access-list 111 permit tcp any any neq telnet
!
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
transport input all
!
end


MyAP#


Thanks

Stephen Rodriguez Tue, 02/04/2014 - 08:55
User Badges:
  • Purple, 4500 points or more

is it one device that is having an issue or more than one?



HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

sandman42 Tue, 02/04/2014 - 09:19
User Badges:

More than one, for now PCs (laptops), but between identical laptops, one work and one doesn't.

Scott Fella Tue, 02/04/2014 - 09:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Your using an open authentication from what I see, so I don't think it's an issue with the AP unless you removed some of your SSID configurations.

Sent from Cisco Technical Support iPhone App

sandman42 Tue, 02/04/2014 - 09:21
User Badges:

It is IMHO because if I sniff network traffic on the connection between AP and DHCP server I see no DHCP traffic between the two, so if ever the DHCP server is faulty, I'd have to see some unsatisfied dhcp requests on the network.

Rasika Nayanajith Tue, 02/04/2014 - 10:38
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi,


You can run following debug command on your AP & see if that gives any useful information with a client who can't get an IP


AAP1#debug ip dhcp server packet detail



HTH

Rasika


**** Pls rate all useful responses ****

sandman42 Tue, 02/04/2014 - 23:59
User Badges:

The debug works if the dhcp server is the ap.


I've set it up with:


ip dhcp excluded-address 192.168.125.1

ip dhcp excluded-address 192.168.125.253

ip dhcp excluded-address 192.168.125.254

ip dhcp pool myapp

int BVI1

ip helper-address 192.168.125.1


and the results are:


*Mar  2 00:17:22.349: %SYS-5-CONFIG_I: Configured from console by XXXX on vty0 (192.168.125.1)

*Mar  2 00:17:28.565: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 6896.yyyy.zzzz Reason: Sending station has left the BSS

*Mar  2 00:17:28.565: %DOT11-4-MAXRETRIES: Packet to client 6896.yyyy.zzzz reached max retries, removing the client

*Mar  2 00:17:32.565: %DOT11-6-ASSOC: Interface Dot11Radio1, Station   6896.yyyy.zzzz Associated KEY_MGMT[NONE]

*Mar  2 00:17:32.637: DHCPD: client's VPN is .

*Mar  2 00:17:32.637: DHCPD: No option 125

*Mar  2 00:17:32.637: DHCPD: DHCPREQUEST received from client 0168.aaaa.bbbb.cc.

*Mar  2 00:17:32.637: DHCPD: Finding a relay for client 0168.aaaa.bbbb.cc on interface BVI1.

*Mar  2 00:17:32.637: DHCPD: setting giaddr to 192.168.125.253.

*Mar  2 00:17:32.637: DHCPD: BOOTREQUEST from 0168.aaaa.bbbb.cc forwarded to 192.168.125.1.

*Mar  2 00:17:32.637: DHCPD: client's VPN is .

*Mar  2 00:17:32.637: DHCPD: No option 125

*Mar  2 00:17:32.637: DHCPD: forwarding BOOTREPLY to client 6896.yyyy.zzzz.

*Mar  2 00:17:32.637: DHCPD: no option 125

*Mar  2 00:17:32.637: DHCPD: creating ARP entry (192.168.125.31, 6896.yyyy.zzzz, vrf default).

*Mar  2 00:17:32.637: DHCPD: broadcasting BOOTREPLY to client 6896.yyyy.zzzz.

*Mar  2 00:17:51.913: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 6896.yyyy.zzzz Reason: Sending station has left the BSS

*Mar  2 00:17:51.917: %DOT11-4-MAXRETRIES: Packet to client 6896.yyyy.zzzz reached max retries, removing the client

*Mar  2 00:18:03.257: %DOT11-6-ASSOC: Interface Dot11Radio1, Station   6067.2000.d4ac Associated KEY_MGMT[NONE]

*Mar  2 00:18:11.873: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 6067.MMMM.NNNN Reason: Sending station has left the BSS

*Mar  2 00:18:41.669: %DOT11-6-ASSOC: Interface Dot11Radio1, Station   6067.MMMM.NNNN Associated KEY_MGMT[NONE]


without helper address on BVI1:

*Mar  2 00:20:30.797: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 6067.MMMM.NNNN Reason: Sending station has left the BSS

*Mar  2 00:20:31.957: %DOT11-6-ASSOC: Interface Dot11Radio1, Station   6067.MMMM.NNNN Associated KEY_MGMT[NONE]


So I think there should be something wrong while associating devices with AP.


Ciao

Rasika Nayanajith Wed, 02/05/2014 - 00:40
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi


Can you make the following modification & see if that make any difference. In current configuration you have configured vlan 2 as native on ethernet side & vlan 1 as native on radio side.


interface GigabitEthernet0.1

encapsulation dot1Q 1 native

bridge group 1

no ip route-cache

!

interface GigabitEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning


HTH

Rasika


**** Pls rate all useful responses ****

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network